Author: Christian Mancier, Gorvins solicitors
It’s one of the great paradoxes of the high-tech evolution. Scientific innovation allows us to create, automate, store and analyse ever increasing amounts of data. Then random carelessness magnificently unravels all that has been achieved.
So while employees are often one of the most vital assets any business can have, they also represent one of the greatest data risks to any organisation – whether that be from disgruntled staff seeking some form of revenge on their employers to innocent mistakes.
[W]ith ever increasing volumes of data comes huge scope for human error
It’s a situation that’s only going to get worse. Where once the world’s most valuable firms were predominantly from the oil and energy sector, today the commercial landscape is dominated by tech companies such as Apple, Amazon, Microsoft and Facebook whose businesses are essentially built on data. But with ever increasing volumes of data comes huge scope for human error.
According to statistics obtained from the UK’s Information Commissioner’s Office, human error is the main cause of data breaches. Another tract of research found that human error accounted for almost two-thirds (62 percent) of the incidents reported to the Information Commissioner’s Office – a huge number when hacking and insecure web pages combined accounted for no more than nine percent.
Could it be that the greatest limiting factor of digital and technological achievement is – quite simply – the human bit?
While the majority of headline-grabbing data breaches come from some form of cyber fraud, where quite often the sheer scale of the data exposed is enough to warrant the headline (think of Yahoo recently disclosing a 2013 data breach where over three billion e-mail accounts were compromised), data breaches rooted in human error happen on a daily basis – and sometimes with devastating effect.
Of course that’s the thing about being human. The chemical, psychological and sociological influences of our world can’t help but influence the way we act – however professional we intend to be. A bad night’s sleep or a pre-work row with a partner can all, at least subliminally, impact on how switched on we are when it comes to the office.
But how can we protect confidential and personal data and protect it from breach?
Unless employees understand the legislative framework, the level of risk to their organisation (both reputational and financial) and how that effects what they do day to day, staff will never really fully understand the impact of their actions while carrying out their day-to-day tasks.
The introduction of compulsory breach reporting, coupled with a significant rise in the maximum fines for data breaches (increasing from £500,000 to a maximum of €20m or, if higher, four percent of global turnover) means that data, could actually become a toxic asset – the equivalent of asbestos for the 21st century digital age.
We have seen significant fines issued where employees have not wiped hard drives in accordance with the correct policy for doing so and subsequently sold those hard drives on e-bay containing medical data of several thousand patients – or where faxes containing details of child abuse proceedings have been sent to the wrong fax number. These fines will only increase under the new regime of compulsory breach reporting.
Get the message out that careless mistakes cost a fortune, can affect the financial health and reputation of the company – and even its employment security.
Identify the problem
Broadly speaking, human error tends to involve data posted, emailed or faxed to the wrong recipient or loss (theft?) of paperwork. Not encrypting data on portable devices and then losing those devices, and failure to redact data appropriately are also key areas where human error demolishes data protection.
An especially common form of human error happens when e-mail marketing is sent out and all the recipients are identifiable to each other rather than being a sent one where email addresses are hidden via a blind copy (Bcc).
While there is software now available to organisations to help detect and prevent this kind of incident, this type of breach is still all too frequent and one such example occurred back in 2015 when a HIV clinic sent out a mailshot to over 700 users who had previously opted to receive test results and book appointment by e-mail. This resulted in the NHS Foundation Trust concerned receiving a £180,000 fine.
Understand the issues
There’s no substitute for education – inculcating staff culture with a profound understanding of the need to be uber careful. Whether it’s regular training sessions, company pep talks or poster campaigns around the office reminding people of the need to check and double check whether they are doing, staff training is perhaps the key to offsetting human error.
Many organisations have excellent written policies dealing with data protection matters covering things such as encrypting data on portable data storage devices, wiping hard drives after use, not taking physical hard copy files out of the office. However, if staff are not trained on these policies, how are they expected to comply them; they must be able to relate written regulations to their physical actions.
While software is also available to help prevent the spread of computer viruses or malicious software used to access and steal data, the prevention software is often one step behind the viruses themselves and as such there is also a window of opportunity where an employee innocently opens an e-mail or clicks on a link that releases the virus and infects their system, possibly having devastating consequences on their employers’ systems and data integrity.
You need someone on the case, constantly monitoring this and employees need to be trained on an on-going basis around what to look out for suspicions e-mail or link wise.
Smart approaches to matters such as email encryption and online collaboration is only part of the way to ensure correct protection and control is applied to data. The rest is down to we human beings who all need reminding that while we may be smart enough to build the future, we must not be careless enough to throw it all away.
Christian Mancier is a partner in the corporate and commercial law department at Gorvins Solicitors, and a specialist in data protection law.